Cybersecurity Fatigue is a fast emerging sentiment

Desensitised to cyber-crime and cybersecurity? Exhausted with horrifying cyber-attacks stories and revisiting cybersecurity issues every month or quarter? Well, many of us are…As the cumulative effect of this phenomenon erodes our attentiveness, here are a few tips that might help to get back the sensitivity of securing our online life.

Have are you ever been tired of your IT department asking you to change your password yet again and then going back to the old routine of writing the password down and sticking somewhere in front of you? Have you ever changed your mind and given up an attractive online purchase because you did not want to create another account and burden yourself with remembering (and frequently changing) another password? Ever refused to read and listen to devastating cyber-attacks that have caused enormous damage to companies, individuals or nation-states?

If your answer is yes, you might be affected by ‘cybersecurity fatigue’. Simply put, it often becomes too much to have another worry in this already troublesome and insecure world.

It happens to all of us

Cybersecurity fatigue manifests itself in much the same way in what psychologists call ‘decision fatigue’ or ‘ego depletion’. It drains our mental energy making us less resistant to real dangers and lures us to do things without real consideration for consequences.

“I get tired of remembering my username and passwords. I never remember the PIN numbers; there are too many things for me to remember. It is frustrating to have to remember this useless information.”

“[It]…first gives me a login, then it gives me a site key I have to recognise, then gives me a password. So that is enough, don’t ask me anything else” was a resentful testimony of one of the participants in a recent US National Institute of Standards and Technology (NIST) study. “It also bothers me when I have to go through more additional security measures to access my things or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly”, added another irked participant in this study.

Do these quotes sound familiar? To many of us, they indeed do!

Certainly, a decade or so ago we cared less about cybersecurity since all we had to remember was a single password or two, but now we have to deal with 20 or 30 different passwords, keywords, logins, PINs, and other fancy words.

The cited NIST study found that many participants have reached the saturation point, which desensitised them to cybersecurity. Being bombarded with numerous cybersecurity messages, advice and demands for compliance, users lose interest to listen and comply. As such users tend to avoid these directives and, in order to regain control, behave irrationally by adopting a ‘head in the sand’ approach, embracing a carefree online attitude driven by impulse and immediate gratification. The usual motivation behind this behaviour is the perception that much of the shocking impact of cyber-attacks is due mainly to the bellicose headlines that often report on these stories.

It is needless to say that this ‘bury head in the sand’ approach is the most damaging to those self-deceiving users. This behaviour can, for example, result in stolen identities, which can often end up in stolen money or reputation. Refusing to enhance online security because people loathe the added security pathways can cost businesses revenue and lost customers. Not securing access to company’s data can cost organisations millions.

The fact is that we cannot (easily) escape from the pervasive digital world. It then poses the question if anything can be done to avoid being afflicted by ‘cybersecurity fatigue’?

Handling cybersecurity fatigue

The first step in managing cybersecurity fatigue should be a recognition that, when under fatigue, we tend to make ‘escaping’ decisions. Declaring that nobody will attack us as we are too small and do not have anything of great value or that cybersecurity is somebody else’s responsibility – these are all examples of self-deception.

Reading stories, such as a recent BitSight’s report, that show that at least one out of every 20 Fortune 1,000 companies had experienced a publicly disclosed breach, prods some people to think that the cybersecurity measures do not have any value. Hence, it is needless to bother. This defeatist behaviour inhibits people to make right decisions. However, by doing nothing the cybersecurity threats will not disappear.

Cybersecurity by design: merge usability and security

Psychology studies suggest that the human behaviour is often unpredictable. Hence, the current cybersecurity paradigm suggests that the security in the digital world should be moved away from human beings as much as possible. In this regard, the US NIST gives to the designers of digital devices and applications three pieces of advice: limit the number of security decisions users need to make; make it simple for users to choose the right security action: and design for consistent decision making whenever possible.

Although not stating it explicitly, these NIST guidelines are directly related to the ideas of ‘cybersecurity by design’ and ‘usable cybersecurity’. The former refers to the software being designed from the ground up to be secure.The latter means an appropriate cybersecurity of applications and devices that will not significantly limit users’ in doing their everyday work.

In both cases, cybersecurity responsibilities shift from users to developers. The idea behind cybersecurity by design is to move as much of the security-related decisions away from users. This, among others, means producing applications and devices with enhanced built-in security that will it make harder for users to make mistakes and also help them to recover from already made mistakes.

Personal cyber hygiene

We are, however, not quite there as cybersecurity by design and usable security are yet to become the norm. In the meantime, we as users should try to manage cybersecurity fatigue. A good start would be closing any digital account that is not in use anymore. This is one of best ways to rid of unnecessary worries if these accounts are being hacked.

A password manager can alleviate security fatigue by allowing us to remember a single password instead of 22 that we have to remember on average. The problem can arise if we lose a device with this application or if the application gets corrupt.

For some accounts, we can use social media (e.g. Google, Facebook, LinkedIn, or Twitter) to log in, if that option is available. This option, however, is reasonable only if we have very strong passwords for our social media accounts.

Not clicking on unknown or suspicious links whether on websites or in emails can save us from many troubles. It will prevent the malware infection and help to keep our credentials safe. A maxim ‘better safe than sorry’ should become the order of the day for keeping cybersecurity fatigue away.

Setting software on automatic update always when possible is another habit that will reduce a need for remembering this important security task. This is particularly important for the cybersecurity programmes such as firewalls and antivirus software. Also, introducing advanced cybersecurity technologies (i.e. artificial intelligence based protection) when possible can significantly reduce our cybersecurity fatigue.

Avoiding cybersecurity information overload is yet another way of managing cybersecurity fatigue. It is indeed easier said than done but we should try not to read everything that is daily served to us on the Internet. For example, instead of reading about ‘55 ways to secure our digital life’, we should strive to learn more about a single cybersecurity topic or two per week that we can easily relate to.

Insurance can also help in dealing with cybersecurity fatigue. In these times of still non-bulletproof technology and skills shortage, IT and business managers increasingly consider taking cybersecurity insurance to protect organisational IT budget from unforeseen cybersecurity incidents. The main benefits of cyber insurance include cover for various costs: from IT internal forensic investigation of cybersecurity incidents to the processes of recovering and lost income.

Cybersecurity awareness and culture

Being knowledgeable about common cybersecurity scams is a driving motivation behind cybersecurity campaigns. However, it is well reported that many cybersecurity awareness campaigns fail to change behaviour due to cybersecurity fatigue of employees. Hence, the role of many cybersecurity awareness campaigns and programmes should be re-examined as they also contribute to cybersecurity fatigue. Generally, these campaigns should be based on personal concerns, without too many details of how the attacks are done but what the consequences are.

Building a proactive culture, which demonstrates that cybersecurity is not a solely technological problem, can also help in managing security fatigue. Educating and training users how to protect their devices and data should be a part of organisational culture. Developing this kind of culture should start at the school level and then extended beyond to the working places and private lives, hence making it a national cybersecurity minded culture.

More work to be done

It is necessary to reiterate that cybersecurity fatigue can make computer users feel hopeless and act recklessly. Looking forward, it is good to know that reputable standardisation organisations such as NIST have recognised and are addressing cybersecurity fatigue. However, at this point, this topic is not sufficiently explored in the international or South African context. Hence, this is a call for researchers and practitioners in South Africa to shed more light on this increasingly significant topic. What is really needed is not another complex cybersecurity framework but uncomplicated guidelines that can reflect the ever-changing environment and can be easily adapted and adopted by various organisations and computer users.